What Personal Data Should a Contract for Services Contain, and What Personal Data May It Not Contain?

ANSWER

The GDPR does not in any of its articles specify what personal data a data controller may or may not process for a particular processing purpose. This determination rests with the data controller, as it is the controller who decides what personal data is necessary to achieve the processing purpose.

The data controller's obligation is to comply with the GDPR, including its principles as set out in Article 5 GDPR. One of those principles is the data minimisation principle, which provides that personal data must be adequate, relevant, and limited to what is necessary in relation to the purposes for which it is processed — Article 5(1)(c) GDPR.

In answering the question of what personal data is necessary for concluding a contract for services, the determination will be made on a case-by-case basis by the data controller. The data should unambiguously identify the natural person with whom the contract is being concluded. In some cases, it will be appropriate to include in the recitals of the agreement data such as name and surname, address of residence, PESEL number, and identity card number; in others, for example, the identity card number may be considered excessive. This will depend entirely on the purpose for which the controller is processing that data — or, put differently, on whether the identity card number is necessary for concluding such an agreement. If it is, then that item of personal data will not be considered excessive.